Cybersecurity and Research at RIT: Regulatory Compliance

Introduction

Research at RIT is subject to various compliance requirements. One example of compliance requirements is Cyber Maturity Model Certification (CMMC). CMMC can be understood as the verification mechanism the US government uses to audit contractors’ compliance to NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The Department of Defense (DoD) created CMMC in response to the continued exfiltration of Controlled Unclassified Information (CUI) from its supply chain. The Cybersecurity Maturity Model (CMMC) Certification ensures the appropriate cybersecurity controls and processes are implemented to protect Controlled Unclassified Information (CUI).

Department of Defense (DoD) contractors and researchers need to obtain third-party certification that meets requirements for the CMMC maturity level appropriate to the work they wish to do for the DoD. The new CMMC mandate includes university-based research labs and facilities—as well as FFDRCs (Federally Funded Research and Development Centers) and UARCs (University Affiliated Research Centers). This means RIT researchers are not exempted if they want to work with the Department of Defense (DoD).

According to National Archive, CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

When RIT researchers have a government contract or award that indicates that they are working with Controlled Unclassified Information, or contract clauses that indicate that NIST SP 800-171 controls are required, they will be required to work within CUI research computing environment to ensure the confidentiality, integrity, and availability, of the CUI data is secured.

Infographic showing CMMC maturity process progression

Cybersecurity Maturity Model Certification (CMMC) does not allow an organization’s self-assessment compared to NIST 800-171 which allows organizations to self-attest how compliant they have been in implementing the required controls to protect CUI data.

The graphics above show the various checklists both NIST 800-171 and CMMC would require organizations to satisfy to show compliance. The big takeaway is, NIST 800-171 would allow an organization’s self-assessment on its implementation of required security controls but CMMC would require an approved third party organization to assess and validate an organization’s compliance status.

RIT is focused on creating and maintaining the appropriate cybersecurity maturity level which would assist our Researchers who are required to protect CUI data.

For more information and resources to help you protect research data and comply with cybersecurity requirements in grants, contracts, and data use agreements, contact:

Some Best Practices for Securing CUI

  • Limit access to CUI on system media to authorized users
  • Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas
  • Control the flow of CUI in accordance with approved authorizations
  • Protect (e.g., physically control and securely store) system media containing CUI, both paper and digital
  • Back up all systems containing CUI
  • Use Multi-factor Authentication for accessing CUI
  • Limit the number of privileged users by implementing the principle of least privilege
  • Promote cybersecurity awareness
  • Monitor third-party access to CUI

RIT Resources

RIT provides a number of resources for faculty/staff seeking to obtain government funding and information on compliance requirements.